User authentication on a Jersey REST service

2019-01-05 10:01发布

I am developing a REST application, which is using the Jersey framework. I would like to know how I can control user authentication. I have searched many places, and the closest article I have found is this: http://weblogs.java.net/blog/2008/03/07/authentication-jersey.

However this article can only be used with a GlassFish server and an attached database. Is there anyway that I can implement an interface in Jersey and use it as a filter before reaching the requested REST resource?

I want to use basic authentication right now, but it should be flexible enough such that I can change that at a later time.

5条回答
Bombasti
2楼-- · 2019-01-05 10:44

I'm working on something similar to this. In my implementation, we have Apache httpd front-ended to handle HTTP Basic authentication and it simply forwards all requests with some header information containing the user and roles.

From that, I'm working on parsing these pieces out using a servlet filter to wrap the HttpServletRequest using a post I found on CodeRanch. This allows me to use the javax.annotation.security annotations like @RolesAllowed on each resource I want to filter. To get all of these pieces working, however, I had to add the following to my servlet in the web.xml:

<servlet>
  <!-- some other settings and such 
  ... -->
  <init-param>
    <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
    <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
  </init-param>
  ...
</servlet>

You might find that Eric Warriner's answer on a recent post of interest: Jersey, Tomcat and Security Annotations

查看更多
兄弟一词,经得起流年.
3楼-- · 2019-01-05 10:44

Have a look here, I'm in the middle of trying it, but it looks promising:

http://anismiles.wordpress.com/2012/03/02/securing-versioning-and-auditing-rest-jax-rs-jersey-apis/

This example is much simpler than attempting to implement JASPI/JASPIC and gives better granularity to the individual methods (@RolesAllowed, @PermitAll, @DenyAll, etc...).

(I know this is an old thread, but just adding potentially useful information)

查看更多
孤傲高冷的网名
4楼-- · 2019-01-05 10:50

Sure, you can use a traditional servlet filter for this.

Add the filter to your web.xml, check for whatever authentication headers you're using (Basic or Digest), perform your authentication logic based on those values, and store the result in a session attribute. In your Jersey resource (ctor probably), extract the auth result from the session attribute and continue processing or not based on whether this is the result you require.

Your Jersey resource ctor would probably look like this:

protected AbstractResource(@Context ServletContext servletContext, 
    @Context HttpServletRequest httpServletRequest) {

    ...

    HttpSession session = httpServletRequest.getSession();
    // get whatever you put in the session in the auth filter here and compare
}
查看更多
一纸荒年 Trace。
5楼-- · 2019-01-05 11:01

I'm sucessfully using spring security for securing my Jersey-based API. It has pluggable authentication schemes allowing you to switch from Basic Auth to something else later. I'm not using Spring in general, just the security stuff.

Here is the relevant part from my web.xml

<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/security-applicationContext.xml,
        /WEB-INF/applicationContext.xml
    </param-value>
</context-param>

<!-- Enables Spring Security -->

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
        org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>springSecurityFilterChain</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>

</filter-mapping>

You can leave applicationContext.xml empty (<beans></beans>). An example of the security-applicationContext.xml can be found here

查看更多
Explosion°爆炸
6楼-- · 2019-01-05 11:02

You can do it in two ways, either you write a simple servlet filter or you have to implement a ResourceFilterFactory and handle the auth in ContainerRequestFilter. The detailed code is in the link http://neopatel.blogspot.com/2011/11/jesey-writing-authentication-filter.html. I like the servlet filter approach personally as it give complete lifecycle control. However if you need more specifc things like accessing QueryParams or PathParams then ResourceFilterFactory is the way to go.

查看更多
登录 后发表回答